Security flaws in how airline boarding passes encode passenger approval information could open a loophole for terrorists, researchers have warned, after exploring the barcodes printed on US passes. Data on whether individual passengers have been cleared for the US PreCheck system is included in the barcode on the boarding documents, with Puckinflight highlighting that such information can be extracted using smartphone scanning apps. With it, passengers can discover whether they'll be allowed to go through security without removing shoes and other clothing, and leaving items such as toiletries and laptops in their bags.
"The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. Using a web site I decoded my boarding pass for my upcoming trip" Puckinflight's John Butler writes. "[The information is] all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps. 1 beep no Pre-Check, 3 beeps yes Pre-Check. On this trip as you can see I am eligible for Pre-Check. Also this information is not encrypted in any way."
While using a smartphone app could allow travelers to preview whether they'll be allowed through PreCheck or not at the airport, the more worrying possibility is that online check-in could allow terrorists to actually amend the barcode so as to change their security status. A simple barcode generator could be used to switch the PreCheck value to indicate lower security was required.
PreCheck inclusion is either via random selection or, for a fee of $100 to the US customs agency for pre-approval, each time you fly over a five year period. Some airlines throw in PreCheck membership as a perk for frequent flyers
Butler suggests that security systems should check to see if the barcode has been tampered by online check-in users, validating it with the version airlines have on record. Alternatively, the PreCheck data could be encrypted, making it harder to decode from the boarding pass and then re-generate.
The TSA has declined to comment on the security loophole.